centos7升级ssh

1、更新yum仓库默认的openssh版本

 yum update openssh -y

2、安装telnet-server以及xinetd

yum install xinetd telnet-server -y

3、配置telnet

#如果下面telnet文件不存在的话,可以跳过这部分的更改
ll /etc/xinetd.d/telnet

#文件存在,请更改配置telnet可以root登录,把disable = no改成disable = yes

cat /etc/xinetd.d/telnet

# default: on
# description: The telnet server serves telnet sessions; it uses \
#   unencrypted username/password pairs for authentication.
service telnet
{
    disable = no
    flags       = REUSE
    socket_type = stream       
    wait        = no
    user        = root
    server      = /usr/sbin/in.telnetd
    log_on_failure  += USERID
}
 
[root@rhel yum.repos.d]# vim /etc/xinetd.d/telnet
[root@rhel yum.repos.d]# cat /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
#   unencrypted username/password pairs for authentication.
service telnet
{
    disable = yes
    flags       = REUSE
    socket_type = stream       
    wait        = no
    user        = root
    server      = /usr/sbin/in.telnetd
    log_on_failure  += USERID
}


#配置telnet登录的终端类型,在/etc/securetty文件末尾增加一些pts终端,如下
pts/0
pts/1
pts/2
pts/3

#配置之后的显示

[root@linux-node3 ~]# vim /etc/securetty
[root@linux-node3 ~]# tail -5 /etc/securetty
xvc0
pts/0
pts/1
pts/2
pts/3

#启动telnet服务,并设置开机自动启动
[root@linux-node3 ~]# systemctl enable xinetd
  
[root@linux-node3 ~]# systemctl enable telnet.socket
Created symlink from /etc/systemd/system/sockets.target.wants/telnet.socket to /usr/lib/systemd/system/telnet.socket.
[root@linux-node3 ~]#
 
[root@linux-node3 ~]# systemctl start telnet.socket
[root@linux-node3 ~]# systemctl start xinetd
[root@linux-node3 ~]# netstat -lntp|grep 23
tcp6       0      0 :::23                   :::*                    LISTEN      1/systemd 

#切换到telnet方式登录,以后的操作都在telnet终端下操作,防止ssh连接意外中断造成升级失败

![image](https://s1.ax1x.com/2020/06/09/t57x74.png)

4、安装依赖包

yum install  -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel

yum install  -y pam* zlib*

5、下载openssh包和openssl的包

wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz

http://www.openssh.com/portable.html#http
选择一个下载地址后再wget,例如选择香港的节点
wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz

5、开始安装openssl

mkdir /opt/tools/
cd /opt/tools/

#将下载包放到此目录
tar -xvf openssl-1.1.1g.tar.gz

#现在是系统默认的版本,等会升级完毕对比下
[root@linux-node3 ~]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

#备份下面2个文件或目录(如果存在的话就执行)
ll /usr/bin/openssl
mv /usr/bin/openssl /usr/bin/openssl_bak

ll /usr/include/openssl
mv /usr/include/openssl /usr/include/openssl_bak

#编译安装新版本的openssl
# 配置参数
cd /opt/tools/openssl-1.1.1g
./config shared --openssldir=/usr/local/openssl --prefix=/usr/local/openssl

#编译和安装
make && make install

#以上命令执行完毕,echo $?查看下最后的make install是否有报错,0表示没有问题
echo $?

# 下面2个文件或者目录做软链接 (刚才前面的步骤mv备份过原来的)
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl

ll /usr/bin/openssl
ll /usr/include/openssl -ld

#命令行执行下面2个命令加载新配置
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf

/sbin/ldconfig

# 查看确认版本。没问题
> openssl version
OpenSSL 1.1.1g  21 Apr 2020

6、安装openssh

#上传openssh的tar包并解压
tar -xvf openssh-8.3p1.tar.gz
cd /opt/tools/openssh-8.3p1

#配置权限
chown -R root.root /opt/tools/openssh-8.3p1

#删除原先ssh的配置文件和目录
rm -rf /etc/ssh/*

#修改版本号(安全扫描低危漏洞)
vi version.h 
#找到此行#define SSH_VERSION     "OpenSSH_8.3",将OpenSSH_8.3修改为自定义的

> sed -i 's/OpenSSH_8.3/welcome back/g' version.h
> cat version.h


#配置、编译、安装
./configure --prefix=/usr/ --sysconfdir=/etc/ssh  --with-openssl-includes=/usr/local/openssl/include --with-ssl-dir=/usr/local/openssl   --with-zlib   --with-md5-passwords   --with-pam  && make && make install

#以上命令执行完毕,echo $?查看下最后的make install是否有报错,0表示没有问题
echo $?

# 修改配置文件最终为如下内容,其他的不要动
> grep "^PermitRootLogin"  /etc/ssh/sshd_config
PermitRootLogin yes

> grep  "UseDNS"  /etc/ssh/sshd_config
UseDNS no

> sed -i 's/#UseDNS no/UseDNS no/g' /etc/ssh/sshd_config
> grep  "UseDNS"  /etc/ssh/sshd_config

#从原先的解压的包中拷贝一些文件到目标位置(如果目标目录存在就覆盖)
cd /opt/tools/openssh-8.3p1
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod +x /etc/init.d/sshd
chkconfig --add sshd
systemctl enable sshd

# 把原先的systemd管理的sshd文件删除或者移走或者删除,不移走的话影响我们重启sshd服务
mkdir /opt/tools/bak
mv /usr/lib/systemd/system/sshd.service /opt/tools/bak/

#设置sshd服务开机启动
> chkconfig sshd on
Created symlink from /etc/systemd/system/sockets.target.wants/sshd.socket to /usr/lib/systemd/system/sshd.socket

# 接下来测试启停服务。都正常、以后管理sshd通过下面方式了
/etc/init.d/sshd restart
#查看22端口
netstat -lntp

/etc/init.d/sshd stop
#查看22端口
netstat -lntp

/etc/init.d/sshd start


#也可以使用systemd方式也行
systemctl stop sshd
systemctl start sshd
systemctl restart sshd

#测试版本。都正常
> ssh -V
welcome backp1, OpenSSL 1.1.1g  21 Apr 2020

> telnet 127.0.0.1 22
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
SSH-2.0-welcome back

# 注意SSH-2.0-后面是自定义的版本号

你可能感兴趣的:(LINUX)